Pages

Thursday, September 13, 2018

HR 6638 Introduced – Cybersecurity Governance

Back in July Rep. Himes (D,CT) introduced HR 6638, the Cybersecurity
Disclosure Act of 2018. The bill directs the Security and Exchange Commission
to require reporting companies to include in annual reports a listing of senior
personnel with expertise or experience in cybersecurity.

The bill gives the gives the Commission 360 days to issue
final rules requiring reporting companies “disclose whether any member of the
governing body, such as the board of directors or general partner, of the
reporting company has expertise or experience in cybersecurity and in such
detail as necessary to fully describe the nature of the expertise or experience”
{2(b)(1)}.

Moving Forward

Himes and his two Democratic cosponsors {Rep. Meeks (D,NY)
and Rep. Heck (D,WA)} are members of the House Financial Affairs Committee two
which this bill was assigned for consideration. Normally, this could provide
them with sufficient influence to have the bill considered in Committee. This
late in the session, however, such consideration is unlikely.

Business interests with no cybersecurity representation
(probably a large majority of middle size and smaller businesses) would be
expected to oppose such reporting requirements. Since this is a major Republican
constituency, I expect that there will be little or no support from Republicans
on this bill.

Commentary

There is something odd about the way this bill was written.
It includes a list of definitions in §2(a),
two of which are never used in the bill. Those two definitions are the only
reason that I am discussing the bill. The two terms? “Cybersecurity Threat” and
“Information System”.

The first term is defined in two parts. The first {§2(a)(2)(A)}:

An action, not protected by the
First Amendment to the Constitution of the United States, on or through an
information system that may result in an unauthorized effort to adversely
impact the security, availability, confidentiality, or integrity of an information
system or information that is stored on, processed by, or transiting an
information system.”

The second part of the definition is the now obligatory {§2(a)(2)(B)}:

Does not include any action that
solely involves a violation of a consumer term of service or a consumer
licensing agreement.

Nothing new or interesting here; it is a now standard
IT-centric cybersecurity definition. The next term would normally also fall
within that description, but the crafters of this bill included an addendum to
one of the standard ‘information system’ definitions {§2(a)(3)(B)}:

Includes industrial control
systems, such as supervisory control and data acquisition systems, distributed
control systems, and programmable logic controllers.

We have seen both of these in other pieces of legislation,
but the odd thing here is that neither definition has anything to do with the
requirements of the bill. The definition of the key term in the bill; ‘expertise
or experience in cybersecurity’ is left for the Commission to define; in
consultation with NIST.

The best that I can figure is that Hines is using these two
definitions to establish congressional intent that cybersecurity (for the
purposes of this particular Commission regulation) includes control system
security. Whether or not this would encourage reporting companies to include
people with an ICS background in their governing bodies remains to be seen, but
it might (should?) encourage the SEC to allow for such eventuality in their
definition of ‘expertise or experience in cybersecurity’.

About Me

I spent 15 years in the US Army as an Infantry NCO. After getting out of the Army I started working in the chemical industry, getting my BSc Chemistry degree while working as a technician. I spent 12 years working as a process chemist in a specialty chemical company. Most recently I worked as a QA/R&D Manager in a specialty chemical manufacturing facility. Currently I am working as a freelance writer.